Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case.
Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000.
“A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” Duggan wrote. Judge Duggan has yet to decide how much Comerica will have to pay.
The problems for Experi-Metal started when company controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message said the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that appeared to be Comerica’s online banking site. Maslowski said the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates.
The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland.
Comerica became aware of the fraudulent transfers four hours after the attack began. Although it took steps to isolate Experi-Metal’s account, the bank also failed to stop more than a dozen additional fraudulent transfers from the company’s account after the bank’s initial response. Experi-Metal sued the bank after it refused to cover any of the losses.
Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations can be held responsible for any losses due to phishing or account takeovers.
Michigan’s adoption of the Uniform Commercial Code means that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association’s Information Security Committee, said the court signaled early on that it would not consider whether Comerica’s security was commercially reasonable.
“The real focus here was the good faith requirement, [and] the burden to establish good faith was on Comerica according to the court,” Navetta said. “While the court did not find any evidence of intentional wrongdoing, it did focus on whether Comerica observed ‘reasonable commercial standards of fair dealing.’ It found that such commercial standards had not been met by the bank.”
But Navetta said the reasoning behind the court’s opinion was “a little confused,” noting that the court indicated that the bank had established commercially reasonable security, but that the court based its decision in part on the lack of fraud detection mechanisms employed by Comerica.
“In the Court’s view there should have been fraud detection mechanisms to detect and analyze various ‘risk factors,’ including: Prior wire transfer activity; the length of EMI’s prior online banking sessions; the pace at which payment orders were entered; the destinations of the payment orders; and the identity of the wire transfer beneficiaries,” Navetta said. “In my view, fraud detection mechanisms are a form of security, so this contradicts on some level the findings around commercially reasonable security, and I think makes the analysis confusing; where do the security measures end and the ‘good faith’ measures begin?”
The Comerica decision comes less than two weeks after a tentative decision in another widely watched cyber heist case — this one involving a $345,000 loss that stemmed from a similar attack on Sanford, Maine-based Patco Construction. Experts said the Patco decision, if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.
But Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School, said she thinks the decision in the Comerica case could be a boon for victim organizations that have been hesitant about suing banks to recoup their losses.
“I think you’re going to see litigators more willing to take on these cases,” Castagnoli said.
Comerica’s lawyers say they are planning to appeal the decision. Comerica spokeswoman Kathleen A. Pitton said the bank’s security procedures were in compliance with those suggested by federal banking regulators.
“While we respect the judge’s opinion, Comerica believes it acted in good faith and plans to appeal,” Pitton said. “We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision.”
The decisions in this case and the Patco case are being made at the trial level in different federal districts. They are not “case law.” Case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made. Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them. Establishing a uniform national standard for judging all cases involving cyber theft would require a decision by the U.S. Supreme Court. Banks and organizations may not be willing to carry their appeals to this level, fearing that a national standard may not be in their best economic interests.
KrebsonSecurity will continue to follow and report on these and other cases. If cyber theft remains out of control and legislators are unwilling to deal with the problem, then litigation and case law will be the only way to resolve the liability issues.
A copy of the court’s opinion is available here (PDF).